CVE-2026-16208
Received Received - Intake

Race Condition in django-tastypie Cache Throttle

Vulnerability report for CVE-2026-16208, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-19

Last updated on: 2026-07-19

Assigner: VulDB

Description

A flaw has been found in django-tastypie up to 0.15.1. The affected element is the function CacheThrottle/CacheDBThrottle of the file tastypie/throttle.py. This manipulation causes race condition. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitability is described as difficult. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-19
Last Modified
2026-07-19
Generated
2026-07-19
AI Q&A
2026-07-19
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
django-tastypie django-tastypie to 0.15.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-16208 affects django-tastypie up to version 0.15.1. It involves two issues: 1) ApiKeyAuthentication accepts credentials via URL parameters or POST fields instead of requiring the Authorization header, exposing them in logs and browser history. 2) CacheThrottle and CacheDBThrottle use non-atomic cache operations, allowing attackers to bypass rate limits through concurrent requests.

Detection Guidance

To detect this vulnerability, check if django-tastypie 0.15.1 or earlier is installed using pip list or pip show django-tastypie. Inspect API authentication logs for credentials passed via URL parameters or POST fields instead of the Authorization header. Monitor rate limiting logs for CacheThrottle/CacheDBThrottle bypass attempts during high concurrency.

Impact Analysis

If exploited, attackers could bypass rate limits by sending concurrent requests, potentially overwhelming the system. Credentials exposed via URL parameters or POST fields could lead to unauthorized access if intercepted. The complexity of exploitation is high, making attacks less likely but still possible.

Compliance Impact

Exposing API credentials via logs or URLs could violate data protection requirements under GDPR or HIPAA, as it may lead to unauthorized access to sensitive data. Non-compliance risks include fines and reputational damage.

Mitigation Strategies

Immediately upgrade django-tastypie to the latest version if available. Enforce the use of the Authorization header for API credentials and disable GET/POST parameter fallback. Implement atomic cache operations for throttling to prevent race conditions. Review and update rate limiting configurations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16208. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart